The access
file
The access
file should contain a list of lines with 3 colon-separated fields:
Aliases may present a grouping of names and start with an ‘@’ (Perl array syntax), otherwise singular names should be used. The host alias and account alias fields may contain a list comma-separated singular names or aliases. Key label(s) should match the key labels used in the key (group) files (in keys.d/*
)
Lines prefixed by ‘#’ are considered comment lines and are ignored during processing.
Examples:
→ grants the owner of public key John_Doe access to the local account dteadm on hosts foo1 and foo2
→ grants the owners of all the public keys in the @dte_devs group to the local account dteadm on all hosts in the dev_hosts group
→ grants the owners of all the public keys in the @dte_devs group to all local account(s) in the dev_accounts group on all hosts in the dev_hosts group
The alias
file
The alias
file should contain a list of lines with 2 colon-separated fields:
Alias identifiers should always start with an ‘@’ (Perl array syntax) to indicate their grouping status. Alias members may be an alias (groups) themselves (max. nesting of 5 levels deep). All aliases should unique across the entire SSH Controls namespace.
Lines prefixed by ‘#’ are considered comments lines and are ignored during processing.
Examples:
→ means the dev_hosts group contains items foo1 & foo2. In this case they would represent a group of servers.
→ means the dte_devs group contains all persons in the dev_admin group and the users John_Doe and Jane_Doe
The targets
file
The targets
file should contain a list of host names **and/or @alias names**, one per line.
Lines prefixed by ‘#’ are considered comments lines and are ignored during processing.
The keys
file(s)
The keys file(s) should contain a list pre-formatted SSH public keys and info:
Examples:
John_Doe, ssh-rsa, AAAAB3NzaC1yc2EAAAABJQAAAQEA1lDB+2r82ZyuJH9kYs1mtLGgDvQH1zeUf6
UKNlVWD9++Bm/iFYuKdZxnEv8BmcMXEmWzeOEW7knCbrFqeOsDIB7IuOYjVsI5QpKg1PIY6S8Q==
Each key entry should be exactly on ONE line. Lines prefixed by ‘#’ are considered comments lines and are ignored during processing.
The easiest way to use the convert_pubkey.pl script to re-format into SSH Controls format
Please do not use key labels with spaces (use underscores instead). You can store the output of the above command in either a single file (i.e. the keys file) OR in individual files located in a keys.d directory):
- A
keys
file:
[master:/etc/ssh_master]$ ls -l keys
-rw-r--r-- 1 sshadmin sshadmin 97344 Mar 29 10:57 keys
[master:/etc/ssh_master]$ cat keys
John_Doe, ssh-rsa, AAAAB3NzaC1yc2EAAAABJQAAAQEA1lDB+2r82ZyuJH9kYs1mtLGgDvQH1zeUf6UK
NlVWD9++Bm/iFYuKdZxnEv8BmcMXEmWzeOEW7knCbrFqeOsDIB7IuOYjVsI5QpKg1PIY6S8Q==
Jane Doe, ssh-rsa, AAAAB3NzaC1yc2EAAAABJQAAAQB+7nymWVZwg3Njpf+Jp5VqDJUoKy/ypDtTR3Jg
ro7GWlihGxgUz3Jk8eew5GEze0LELEL67qq==
Note: key entries are split over multiple lines here to enhance readability.
- A
keys.d
directory:
Individual files inside the keys.d
directory may themselves also contain multiple keys. This allows for key grouping. Key files may have an optional file extension, e.g. test_user.keys
Leave a comment